How to verify a post-receive hook request actually came from github?

Question

Github offers a way to let a URL know when a project has been updated using webhooks.

How do I verify that a post sent to my server\'s post-receive hook act

Answer 1

Take a look at GitHub's docs on the subject: they suggest using HTTPS and basic authentication.

Specifically, set up your Payload URL in this format:

https://yourUser:yourPass@yoursite.net/path

If you have a number of users, you'd give each a different username & password. Assuming they keep that password private, you can then trust that an authenticating request really does come from GitHub and from that account.

See also: https://github.com/blog/237-basic-auth-post-receives